October 2018

October 15, 2018

The title of this post is the title of cybersecurity expert Bruce Schneier's new book. A lot of us worry about everything being connected to the internet and at an accelerating pace. Bill Gates' and Paul Allen's old time vision of a personal computer on every desk sounds antiquated today.

The New York Times (sub. req.) recently referenced Schneier's book in a story published on October 10th. That story was entitled, "A Future Where Everything Becomes a Computer Is as Creepy as You Feared."

Mark Zuckerberg wanted to connect everyone socially – his wild ride to success was without any government regulation. Look what that got us.

And now we have the Internet of Everything. Lots of benefits? Sure. But without government regulation, this could be (will be) a nightmare. Not many folks are thinking about this, much less doing anything about it.

As the articles says, "Cars, door locks, contact lenses, clothes, toasters, refrigerators, industrial robots, fish tanks, sex toys, light bulbs, toothbrushes, motorcycle helmets — these and other everyday objects are all on the menu for getting "smart." Hundreds of small start-ups are taking part in this trend — known by the marketing catchphrase "the internet of things" — but like everything else in tech, the movement is led by giants, among them Amazon, Apple and Samsung."

We now have an Amazon microwave powered by Alexa, which is also selling its smart chip to other manufacturers. Both Facebook and Google recently unveiled their own home "hub" devices that let you watch videos and perform other digital tricks by voice.

Schneier argues that the economic and technical incentives of the internet-of-things industry do not align with security and privacy for society generally. Putting a computer in everything turns the whole world into a computer security threat — and the hacks and bugs uncovered in just the last few weeks at Facebook and Google illustrate how difficult digital security is even for the biggest tech companies. In a roboticized world, hacks would not just affect your data but could endanger your property, your life and even national security.

Schneier's book rings alarm bells, arguing for government regulation before calamities emerge. He suggests the need for a National Cyber Office for researching, advising and coordinating a response to threats posed by an everything-internet.

But he's a realist. "I can think of no industry in the past 100 years that has improved its safety and security without being compelled to do so by government," he wrote. But he conceded that government intervention seems unlikely at best. "In our government-can't-do-anything-ever society, I don't see any reining in of the corporate trends," he said.

Schneier's larger argument is that the cost of adding computers to objects will get so small that it will make sense for manufacturers to connect every type of device to the internet. At some point, the devices that don't connect to the internet will be rarer than ones that do.

There is an incentive to provide security for traditional computing devices. Apple has an incentive to keep writing security updates to keep your iPhone secure; it does so because iPhones are expensive, and Apple's brand depends on keeping you safe from digital threats.

Manufacturers of low-margin home appliances have little such expertise, and less incentive. That's why the internet of things has so far been synonymous with dreadful security — and why the FBI had to warn parents last year about the dangers of "smart toys," and why Dan Coats, the director of national intelligence, has identified smart devices as a growing threat to national security.

October 11, 2018

The Washington Postreported on October 10th that the Government Accountability Office issued a report on Weapons System Cybersecurity on October 9th. And the news isn't good. According to the report, the Pentagon's multibillion-dollar weapons systems are riddled with cybersecurity vulnerabilities. Military leaders are said to have ignored the problem for years, turning a blind eye to security weaknesses in newly developed systems that could potentially thwart military missions.

The GAO says that the military leaders did not take seriously the findings of Defense Department teams who "routinely found mission critical cyber vulnerabilities in nearly all weapons systems that were under development" for five years until 2017. "Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected." But even though some systems were so fragile that merely scanning them caused them to shut down, military officials who met with the watchdog "believed their systems were secure and discounted some test results as unrealistic."

The scary takeaway is this: "Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity."

This report is the first by the GAO to examine the cybersecurity of weapons systems. "The GAO report released today highlighted a shocking reality: just how far behind we actually are in adequately protecting our weapons systems and industrial suppliers from cyber threats," said Sen. James M. Inhofe (R-Okla.), the Armed Services Committee chairman. "I am pleased that this report helps identify vulnerabilities and supports this year's [National Defense Authorization Act], which increased investment in cyber infrastructure."

The report covered aircraft, ships, combat vehicles, satellites and other equipment, but didn't disclose which specific vulnerabilities or military programs it reviewed because such information is classified. But the GAO said cyberattacks on weapons systems could "limit the weapon's effectiveness, prevent it from achieving its mission, or even cause physical damage and loss of life."

"If a DOD network is compromised by a state adversary like Russia or China, our own weapons systems could theoretically be used against us. That's a scary proposition," said Jay Kaplan, a former National Security Agency cybersecurity analyst and security researcher for the Pentagon. "It might be a little far-fetched, and would probably require physical access and some very focused expertise. But when you are funded at the nation-state level to do this type of stuff, anything is in the realm of possibility, and that's what's most frightening about this report."

Pentagon testing teams found critical vulnerabilities in "nearly all" weapons systems that were under development or being tested between 2012 and 2017 and were able to gain full control of many systems. They didn't need sophisticated tools to do so, according to the report. Some weapons systems used software with passwords that testers guessed easily. The report also said some systems didn't encrypt their communications, meaning an attacker could read an administrator's username and password and use those credentials to gain greater access to the system. Cybersecurity 101 - it boggles the mind that this could be possible.

It could be especially difficult for the Pentagon to bring its weapons systems up to par because the problems are rooted in the supply chain. Adding safeguards after a system has been deployed is costly and complicated, the GAO noted. And even if the Defense Department makes its new systems more secure, they could still be at risk if they're connected to older, less-secure systems.

For anyone who cares about our nation's security, this report is horrifying.

October 10, 2018

Naked Security reported on October 8th that on Saturday, September 8th, at 3:20 pm, Karen Navarra's Fitbit recorded her heart rate spiking. Within 8 minutes, the 67-year-old California woman's heart beat rapidly slowed. At 3:28 pm, her heart rate ceased to register at all.

She was found dead, slouched in a chair at her dining room table, when a co-worker found her five days later when Ms. Navarra failed to show up for work in a pharmacy. She had a gaping wound to her neck and wounds on the top of her head. In her right hand was a large kitchen knife, but police think that her murderer put it there to stage a suicide.

Two pieces of technology led police, on September 25th, to charge Ms. Navarro's stepfather, Anthony Aiello, with allegedly having murdered her. Besides the Fitbit records, there are also surveillance videos that refuted Aiello's version of events.

Aiello claimed that the last time he spoke with his stepdaughter was when he brought homemade pizza and biscotti to her house in San Jose, California, for a brief visit. When investigators questioned Ms. Navarro's 92-year-old mother, Adele Aiello, and her 90-year-old stepfather, Anthony Aiello, he told them that he'd dropped off the food for his stepdaughter and then left her house within 15 minutes.

But, Aiello said, he saw Ms. Navarra drive by his home with a passenger in the car later that afternoon.

Police got a search warrant and retrieved the Fitbit. When they compared the dead woman's Fitbit data with video surveillance from her home, they discovered that Aiello's car was still there at the point when her Fitbit lost any traces of her heartbeat. Later, police found bloodstained clothing in Aiello's home.

Investigators confronted Aiello with the Fitbit information during questioning, explaining to him how the device records time, physical movement, and heart rate data. Then police told Aiello that his stepdaughter was dead prior to the time he left her house. Aiello said that couldn't be because she'd walked him to the door. The detective explained that both systems were on internet time, and there was no deviation.

After detectives finished questioning Aiello, they left him alone in the interview room. According to the police report, Aiello then began to talk to himself, saying repeatedly… "I'm done."

October 09, 2018

CIS® recently released CIS RAM (Center for Internet Security Risk Assessment Method). CIS RAM is an information security risk assessment method that helps organizations implement and assess their security posture against the CIS Controls cybersecurity best practices. CIS RAM provides instructions, examples, templates, and exercises for conducting a cyber risk assessment. CIS RAM, developed by HALOCK Security Labs in partnership with CIS, helps model a reasonable use of the CIS Controls to address the risks present in any environment.

There are multiple risk assessment standards in the cybersecurity world. According to CIS, CIS RAM is the first to provide very specific instructions for analyzing information security risk in a way that regulators define as "reasonable" and judges evaluate as "due care." CIS RAM highlights the balance between the harm a security incident might cause and the burden of safeguards – the foundation of "reasonableness."

CIS RAM is free to use by anyone looking to improve their own cybersecurity. New users are typically able to design their risk assessment within the first day of following the CIS RAM instructions. You can download CIS RAM from the link given at the beginning of this post.

October 08, 2018

As reported by Forbes on September 30th, a child abuse investigation is the first known case in which law enforcement used Apple Face ID facial recognition technology to open a suspect's iPhone. This is the first known case anywhere in the world that this has been reported.

On August 10, the FBI searched the house of 28-year-old Grant Michalski, a Columbus, Ohio, resident who would later that month be charged with receiving and possessing child pornography. A federal investigator with a warrant told Michalski to put his face in front of the phone, which he did. That allowed the agent to look through the suspect's online chats, photos and whatever else he deemed worthy of investigation.

There have been multiple cases in which suspects have been told to unlock iPhones with their fingerprints, via Apple's Touch ID biometric login. The same technique was used on dead subjects. Earlier this year, Forbes disclosed the use of GrayKey, a $15,000-$30,000 tool that can break through the passcodes of the latest iOS models, including the iPhone X. Another contractor, Israel's Cellebrite, announced similar services.

Now Face ID is being used. While the investigator here had a warrant, and appeared to have done everything legally, there are serious concerns about the use of such tactics.

"Traditionally, using a person's face as evidence or to obtain evidence would be considered lawful," said Jerome Greco, staff attorney at the Legal Aid Society. "But never before have we had so many people's own faces be the key to unlock so much of their private information."

On the phone, there were conversations over chat app Kik Messenger in which users discussed abuse of minors, according to the affidavit's narrative. It was later discovered that Michalski had used Kik previously to talk with an undercover officer posing as a father interested in sex with children. Kik has had to deal with a vast number of child exploitation cases involving its platform, and promised to spend millions of dollars on fixing the problem.

Leading up to the seizure of the device, FBI special investigator David Knight had learned that Michalski had posted an ad on Craigslist titled "taboo," the investigator wrote. Emails were later shared between Michalski and another defendant William Weekley in which they discussed, amongst other things, incest and sex with minors, according to Knight's telling. That included sexual acts with a Jane Doe, whom Weekley referred to as his daughter. Both defendants await trial. No date has been set yet.

Though Knight may found some evidence of criminal activity when he manually searched the device, in one respect the forced Face ID unlock of the iPhone X was a failure. It wasn't possible to siphon off all the data within using forensic technologies. That was because the passcode was unknown.

In modern iPhones, to hook the cellphone up to a computer and transfer files or data between the two, the passcode is required if the device has been locked for an hour or more. And forensic technologies, which can draw out far more information more quickly than can be done manually, need the iPhone to connect to a computer.

It appears Knight didn't keep the device open long enough and so couldn't start pulling out data with forensic kits. He admitted he wasn't able to get all the information he wanted, including app use and deleted files. What Knight did get he documented by taking pictures.

But he wasn't to be frustrated entirely. In another revelation in the court filings, Knight noted he'd learned both the Columbus Police Department and the Ohio Bureau of Investigation had access to "technological devices that are capable of obtaining forensic extractions from locked iPhones without the passcode." The only two companies known to have provided such services this year are Cellebrite and Grayshift.

Both those companies have been doing big business with the U.S. government of late. Grayshift scored its biggest order to date earlier this month, scoring a $484,000 deal with the Secret Service. That followed a $384,000 contract with Immigration Customs Enforcement (ICE). The Secret Service spent $780,000 on Cellebrite in September too.

Michalski's lawyer Steven Nolder told Forbes the FBI wanted to use Cellebrite tools to extract data from the device, but hadn't been successful despite the Face ID unlock. "Consequently, at this moment, they've not found any contraband on the cellphone," Nolder said over email. "That's a Pyrrhic victory as there was contraband found on other devices but there would be no need to challenge the warrant's facial recognition feature as my client was not harmed by its use."

But Nolder said that the cops were now using boiler plate language in warrants to allow them to access iPhones via Face ID. "Law seems to be developing to permit this tactic," Nolder added.

To date, there has been no challenge to the use of Face ID in this case or others. But Fred Jennings, a senior associate at Tor Ekeland Law, said they could come via the Fifth Amendment, which protects individuals from incriminating themselves in cases.

In previous rulings, suspects have been allowed to decline to hand over passcodes, because the forfeiture of such knowledge would amount to self-incrimination. But because the body hasn't been deemed a piece of knowledge, the same rulings haven't been applied to biometric information, like fingerprints or face scans. That's despite the fact that the use of passcodes, fingerprints and faces on an iPhone has the same effect in each case - unlocking the device.

Jennings thinks that as long as there's no specific legislation dealing with this apparent conflict, courts will continue to hear arguments over whether forced unlocks via facial recognition is a breach of the Fifth Amendment.

There are various ways in which the latest iPhones can evade federal investigations, even if Apple didn't design features for that specific purpose. Beyond the passcode, thanks to a feature called SOS mode, it's possible to shut down Face ID and Touch ID with five quick clicks of the power button in older iPhones. In the iPhone 8 and X, the same is achieved by holding the side button and one of the volume buttons. And if the device hasn't been opened within 48 hours, a passcode is required to open it again.

"Additionally, a long and unique alphanumeric passcode will prevent any forensic imaging attempts from decrypting your phone's data," said Ryan Stortz, a security researcher at Trail of Bits. "However, SOS won't save you if the feds distract you and seize your phone out of your hand."

Apple's Face ID also requires a person's eyes to be open. Not only that, Apple's tech has "liveness detection" that attempts to determine if the visage looking at the device is alive.

So, unlike Touch ID, Face ID doesn't work with the dead. According to one source in the forensics community who asked to remain anonymous, New York narcotics cops have even tried on multiple occasions to open iPhone X devices of heroin overdose victims but without success.

Sorry for some of the slightly ghoulish and unpleasant content in this post, but we receive a ton of questions about this topic, and the Forbes article did a really good job of detailing what is and isn't possible – and the current legal status of law enforcement's attempt get access to smartphone data.

October 04, 2018

According to a DarkReading post, a study by password manager LastPass of 43,000 organizations that use its service shows that an employee, on average, shares six passwords with his or her co-workers and half of employees (oh good grief) reuse passwords among work and personal accounts.

There is a bit of very good news: 45% of businesses are using multifactor authentication (MFA), up from 24.5% last year.

The 50 minute podcast is certainly worth your time if you are involved in the studying the future of law practice, the impact of ethical rules on that future, etc.

After AVVO launched in 2007, a lot of bars began to study AVVO. There was a fair amount of concern about the rating system, which seemed to us to reward those who interacted with AVVO. There were all kinds of way to game the AVVO ratings and they became a popular topic on Google searches as AVVO's popularity increased. While Mark says that the company went after those who tried to game the system, I never saw any serious evidence of that. Attorneys bragged about how easy it was to get a "10" rating on AVVO. And we had recent news that AVVO has settled a New York probe, agreeing that it will no longer call its ratings "unbiased."

So the rating system bothered me a lot since it was so gamified. There was also a lot of talk about AVVO serving access to justice needs, something which is near and dear to my heart. But I never thought that was at the core of AVVO. It is a for-profit company – money was always the bottom line objective. I don't object to that . . . but I often thought that AVVO used access to justice as window dressing. In the course of the interview, Mark says, "the bread and butter business of AVVO was always the advertising business." That speaks for itself.

And then AVVO Legal Services came along, with AVVO determining a flat fee for legal services, holding the monies and disbursing them at the conclusion of the matter to the attorney and then extracting a 'marketing' fee. A number of states concluded that this violated the ethical prohibition against fee sharing.

Mark says it became obvious that there was a huge latent legal market not being served. Of those making $84,000 and up, half were not using lawyers. That was apparently the true target market financially, those who would be enticed by getting legal services at a low cost and would (hopefully) remain with the AVVO attorney and providing more substantial client fees in the future without AVVO involvement. While all that is good, it doesn't target those who are truly in dire need of legal help and often in dire straits financially.

Mark is not particularly enamored of legal regulators, understandably, saying, "the legal profession cuts off its nose to spite its face" and "The Bars were not being innovative, I feel they were being lazy – they had a lot of members complaining and they were just going to say no." It was a lot more substantive than that. Bars were bound to have members angry no matter which way they came down on the AVVO issues - and therefore we were cautious and deliberative.

Ethical rules are very important but they are too complex according to Mark – and I agree with that. Hence the changes Virginia made in its marketing rules, which fundamentally prohibits misleading or deceptive advertising.

Mark wasn't surprised that Internet Brands, which bought AVVO earlier this year, shut down AVVO Legal Services. As he said, all of the state opinions started coming out and the finish line seemed farther and farther away. I don't wonder that Mark was exhausted and ready to move on in life - or that his greatest regret is that AVVO Legal Services didn't succeed.

While Mark refers to state regulators as too fat and happy and not interested in consumers, I disagree. Virginia, along with a number of other states, is working on developing new ethical rules that would permit attorney client matching services, but avoiding the ethical pitfalls of the AVVO model.

So in the end, I agree with Bob that AVVO moved the legal world forward – whether we agreed with you not, you pushed the envelope and that pushed everybody a few steps forward. That's a good thing for all of us.

October 02, 2018

The Washington Postreported on September 30th that the Trump administration said it will sue California to block what some experts have described as the toughest net neutrality law ever enacted in the United States.

On Sunday California became the largest state to adopt its own rules requiring internet providers like AT&T, Comcast and Verizon to treat all web traffic equally. California legislators took the step of writing their law after the Federal Communications Commission ditched nationwide protections last year, citing the regulatory burdens they had caused for the telecom industry.

Hours after California's proposal became law, senior Justice Department officials said they would take the state to court on grounds that the federal government has the exclusive power to regulate net neutrality. DOJ officials stressed the FCC had been granted such authority from Congress to ensure that all 50 states don't seek to write their own, potentially conflicting, rules governing the web.

The new law prohibits internet providers from blocking access to sites and services, slowing down web connections or charging companies for faster delivery of their movies, music or other content. Smaller web firms, in particular, worry that they do not have the resources to pay telecom giants to make sure their content is seen. The law also bans carriers from exempting apps from counting toward consumers' data allowances each month if doing so might harm companies, especially start-ups.

More than 20 states filed lawsuits against the FCC, arguing that the agency had acted arbitrarily in repealing the net neutrality rules. Their efforts have won the support of companies like Mozilla and trade associations representing tech giants including Amazon, Facebook and Google, along with consumer groups like Free Press and Public Knowledge.

Many governors and legislatures also set about trying to come up with policies preserving net neutrality within their borders, even though the FCC's repeal order explicitly prohibited states from writing their own open-internet laws. That prompted the DOJ to file its lawsuit in a federal court in Sacramento, which seeks a preliminary injunction that will stop California's net neutrality rules from taking effect on January 1.

October 01, 2018

There are many of us who have railed against AVVO's bogus attorney rating system, which could be artificially pumped up by anyone who could Google "How to Improve Your AVVO Rating." The ratings were inherently deceptive and prone to manipulation, some of it actively encouraged by AVVO itself.

So I was delighted when Reuters reported that New York Attorney General Barbara Underwood said that Avvo had agreed, following a probe by her office, to reform its rating system and improve disclosures after the probe revealed shortcomings in how it presented information to consumers seeking to hire lawyers. Specifically, it will no longer call its ratings "unbiased."

She also said Avvo was now "clearly and conspicuously" telling users that its ratings, on a 1 to 10 scale, rely on information that lawyers provide, meaning that lawyers who share their resumes or work experiences tend to rate higher than those who do not.

The attorney general said Avvo also agreed to remove ratings for lawyers who do not actively participate in its directory, and will ensure that forms it posts for consumers are first reviewed by qualified, licensed lawyers in New York.

Avvo will also pay $50,000 to cover costs. In a statement, Avvo said it was committed to providing "timely, accurate information" to help people find lawyers, and the changes reflected its "commitment to pro-consumer practices and improving the accessibility of the legal community."

As many folks know, AVVO was purchased earlier this year by Internet Brands – cheers to that company for reforming AVVO's much-maligned ratings system.

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.